[BUG] Govc client cannot validate server based on thumbprint when proxy is configured

[hanlins]

Describe the bug
When proxy environment variables (e.g. HTTP_PROXY, HTTPS_PROXY) are set, govc client will bypass the thumbprint validation.

To Reproduce
Steps to reproduce the behavior:

1. Configures the thumbprint file, the connection works.
2. Then configures the proxy environment variables, the thumbprint validation is bypassed by golang's cert validation.

Expected behavior
When proxy environment variables are being configured, the thumbprint validation in govc client is bypassed. If user are using username/password together with thumbprint to validate the vCenter server, then there's no certificated being distributed to the server thus client won't find and SAN matching vCenter server as there's no CA cert at all and the request will fail.

Affected version
Please provide details on the version used, e.g. release tag, commit, module version, etc.

Screenshots/Debug Output

1. Here's the environment variables in the testing environment:

export GOVC_URL="https://10.193.1.165"
export GOVC_HOST="https://10.193.1.165"
export GOVC_USERNAME="administrator@vsphere.local"
export GOVC_PASSWORD="Admin!23"
#export GOVC_INSECURE=true
export GOVC_DATASTORE="local-0"
export GOVC_TLS_KNOWN_HOSTS="known_host"

The content of known_hosts file is:

10.193.1.165 20:F3:D4:62:1F:3E:C0:13:B9:F4:90:AD:57:F6:D7:BD:34:F8:C8:1C

Communication with vCenter works:

➜  govc datastore.ls
vCLS (2)
worker-1

2. Configure proxy variables in the testing environments:

➜  ~ export http_proxy="http://10.182.54.95:80"
➜  ~ export https_proxy="http://10.182.54.95:80"
➜  ~ curl -k -v google.com
* Uses proxy env variable http_proxy == 'http://10.182.54.95:80'
*   Trying 10.182.54.95...
* TCP_NODELAY set
* Connected to 10.182.54.95 (10.182.54.95) port 80 (#0)
> GET http://google.com/ HTTP/1.1
> Host: google.com
> User-Agent: curl/7.64.1
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 15 Jun 2021 22:41:39 GMT
< Expires: Thu, 15 Jul 2021 22:41:39 GMT
< Cache-Control: public, max-age=2592000
< Server: gws
< Content-Length: 219
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< X-Cache: MISS from kube-worker.c55f0f26
< X-Cache-Lookup: MISS from kube-worker.c55f0f26:80
< Via: 1.1 kube-worker.c55f0f26 (squid/3.5.27)
< Connection: keep-alive
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host 10.182.54.95 left intact
* Closing connection 0

You can see that the request is forwarded successfully by the proxy.
3. Try previous govc command again with proxy configs and failed:

➜  govc datastore.ls
govc: Post "https://10.193.1.165/sdk": x509: cannot validate certificate for 10.193.1.165 because it doesn't contain any IP SANs

Additional context
Need to prevent golang from overwriting the transport functionality that skips the thumbprint validation.

[github-actions]

Howdy 🖐   hanlins ! Thank you for your interest in this project. We value your feedback and will respond soon.

If you want to contribute to this project, please make yourself familiar with the CONTRIBUTION guidelines.

[hanlins]

Seems this is a known issue:

govmomi/session/manager.go

Lines 122 to 125 in 18b53fd

	// When http.Transport.Proxy is used, our thumbprint checker is bypassed, resulting in:
	// "Post https://sdkTunnel:8089/sdk: x509: certificate is valid for $vcenter_hostname, not sdkTunnel"
	// The only easy way around this is to disable verification for the call to LoginExtensionByCertificate().
	// TODO: find a way to avoid disabling InsecureSkipVerify.

Are we expecting a fix for this issue? @dougm

[dougm]

We use a custom http.Transport.DialTLS function to implement the thumbprint check, but that does not apply to proxy connections. Looks like we'd have to implement our own proxy client that does the http CONNECT and TLS session negotiation. Not sure what the correct and simple path for doing this is yet. I've have seen several references to golang.org/x/net/proxy for implementing custom proxy clients, but it isn't clear if we'd need that in this case.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.

[mcwumbly]

/remove-lifecycle stale

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Mark as fresh by adding the comment /remove-lifecycle stale.

[lubronzhan]

/remove-lifecycle stale